Presented by

Robert Richardson
CSI Director
Thanks!

The 2010/2011 Survey Report is

Available at GoCSI.com, either on its
Own or as part of a CSI membership.
 Cyber Forensics:
Insights on Moving Forward

Jim Jaeger
Director, Cyber Defense & Forensics

December 2010
 Cyber Security
Capabilities
• Commercial forensics & incident response
• Cyber operations & monitoring
• Digital forensics
• Indications & warning systems
• Network security
• Information operations
Key Solutions and Programs
• Department of Defense Cyber Crime Center (DC3)
• United States Computer Emergency Readiness Team (US-
CERT)
• Department of Homeland Security National Infrastructure
Coordinating Center, National Operations Center
• National Security Agency signals intelligence and
exploitation
• Department of Justice/Federal Bureau of Investigation,
Drug Enforcement Agency
 Reaching Beyond Compliance
• Every large enterprise must now
deal with constant cyber attacks

• 100% of the enterprises we’ve

investigated were compliant with
some security standard

• In their cases, compliance

provided a false sense of security

• Every set of compliance standards is understood by hackers

• To protect your enterprise the new price of doing business is going

beyond compliance
 Situational Awareness
“Often times, our situational awareness is,
indeed, forensics--which means that
something has happened and policing
up after the fact--versus mitigating it in
real time.
We need real-time situational
awareness in our networks, to see
where something bad is happening and
to take action there at that time. We do
not have ‘common-operational picture’
for our networks. We need to get there.
We need to build that.” General Keith Alexander, Congressional
Testimony, 9/23/2010
 Cyber Situational Awareness
Know What Normal Is Know the Threat Share Information
• Knowing your network • How they move • CSI Computer Crime and
• Recognize changes • What they are after Security Report
• Where they are going • Industry discussions
• US-CERT
 Key Strategies: Handling of Logs
• Logging Enabled
– Significant – 25%
– Basic factory settings –
75%
• Log Storage
– Long term – 5%
– Moderate – 40%
– Minimal – 55%
• Log review/analysis
– Limited – 50%
– None – 50%
Evolving Situational Awareness Tool Set
Industry is recognizing the need

Capabilities are being developed in demos and test beds to create

a “common operational picture”
 Evolving Investigative Arena
From one examiner/one case/one box,
to forensics teams using distributed tools
to work large data sets and cross case analysis

Requires technology
– SANs to store and
access the data
– Strong network and
data security to
prevent
contamination
– Sophisticated data
mining and
visualization tools
 The Building Blocks: Partners
• Computer Emergency
Response Team
• Cyber Forensic
Organization
• Law Enforcement
• Legal Community

The team brings strength beyond

that of an individual organization
 Jim Jaeger
Director, Cyber Defense & Forensics
General Dynamics Advanced Information Systems
240.294.2221
jim.jaeger@gd-ais.com